[Webkit-unassigned] [Bug 57756] chrome.dll!WebCore::RenderStyle::fontMetrics ReadAV at NULL (two crashes)
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Tue May 10 04:00:57 PDT 2011
https://bugs.webkit.org/show_bug.cgi?id=57756
Berend-Jan Wever <skylined at chromium.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |hyatt at apple.com
--- Comment #2 from Berend-Jan Wever <skylined at chromium.org> 2011-05-10 04:00:57 PST ---
This is probably related to bug 51466 or a variation thereof.
Crash id for debug builds:
chrome.dll!WebCore::Font::primaryFont ReadAV at NULL (8f0571b4327014e218145b45bae3bada)
Simplified repro:
<script>
document.documentElement.innerHTML = '<title style="border:0ex;">x';
</script>
m_fontList is NULL in:
webkit\source\webcore\platform\graphics\font.h
inline const SimpleFontData* Font::primaryFont() const
{
ASSERT(m_fontList);
return m_fontList->primarySimpleFontData(this);
}
Which is called by:
webkit\source\webcore\platform\graphics\font.h
const FontMetrics& fontMetrics() const { return primaryFont()->fontMetrics(); }
Which is called by:
webkit\source\webcore\rendering\style\renderstyle.h
const FontMetrics& fontMetrics() const { return inherited->font.fontMetrics(); }
Which is called by:
webkit\source\webcore\css\cssprimitivevalue.cpp
double CSSPrimitiveValue::computeLengthDouble(RenderStyle* style, RenderStyle* rootStyle, double multiplier, bool computingFontSize)
{
unsigned short type = primitiveType();
<<<snip>>>
switch (type) {
<<<snip>>>
case CSS_EXS:
<<<snip>>>
factor = style->fontMetrics().xHeight();
A few calls up the stack we see this:
webkit\source\webcore\css\cssstyleselector.cpp
PassRefPtr<RenderStyle> CSSStyleSelector::styleForElement(Element* e, RenderStyle* defaultParent, bool allowSharing, bool resolveForRootDefault, bool matchVisitedPseudoClass)
{
<<<snip>>>
// Now do the author and user normal priority properties and all the !important properties.
if (!resolveForRootDefault) {
applyDeclarations<false>(false, lastUARule + 1, m_matchedDecls.size() - 1);
applyDeclarations<false>(true, firstAuthorRule, lastAuthorRule);
I believe the problem is that Font::update should have been called before we hit this code. It set m_fontList for the font:
http://codesearch.google.com/codesearch/p?hl=en#OAMlx_jo-ck/src/third_party/WebKit/Source/WebCore/platform/graphics/Font.cpp&q=Font::update&exact_package=chromium&sa=N&cd=1&ct=rc&l=115
void Font::update(PassRefPtr<FontSelector> fontSelector) const
{
// FIXME: It is pretty crazy that we are willing to just poke into a RefPtr, but it ends up
// being reasonably safe (because inherited fonts in the render tree pick up the new
// style anyway. Other copies are transient, e.g., the state in the GraphicsContext, and
// won't stick around long enough to get you in trouble). Still, this is pretty disgusting,
// and could eventually be rectified by using RefPtrs for Fonts themselves.
if (!m_fontList)
m_fontList = FontFallbackList::create();
m_fontList->invalidate(fontSelector);
}
@hyatt: You wrote the above comment in Font::update, can you have a look?
--
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
More information about the webkit-unassigned
mailing list